Grabbing NTLM hashes from a Windows Server

[hongman]

Hi

Ok, consider this scenario.

I have managed to gain LAN access to a network, but have no Windows credentials (i.e hacked wireless, or have physcial port access).

The ways I know of to grab NTLM password hashes are:

Using something using something like metasploit
ARP Poisoning to sniff NTLM passwords as users authenticate with DC (I think?)
Using something like pwdump or fgdump to nab them.

Today I have been playing with pwdump/fgdump.

Testing on my own network is fine, as I have adminsitrator priv's, can disable AV (McAfee), etc.

But on a real pentest environement I will have neither of these.

What is the best way to grab these (stealthily) so that I can crack them with the various hash cracking tools later on?

[themen]

Hy there

Actually i'm working on the same Goals...
Today, i tried with ARP Poising to sniff some Hashes from the Domain Controller, without luck ;-)
(But, i didn't spend a lot of time...)

The way worket for me, was simpler. (Because you need to know the Domain Controller...)
I realized that theres a SharePoint Server and the Traffic was routet Out of the Lan (perhaps a guest Lan).
So, i simply poisgned route from my victim to the router and this way i received the hash ;-)

In the near future - i trie to catch a hash from a domain controller, if i find some time.
Let me know, the status of your project ;-)